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DETAILED ACTION 
Claims 1-34 have been examined and are pending. 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 706.07(a). Applicant is 
reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

Claim Rejections - 35 USC §103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 1-10, 12-15, 17-22, 25-31, 33 and 34 rejected under 35 U.S.C. 103(a) as being 
unpatentable over prior art of record, Orchier et al, herein Orchier, (USP 6,070,244) and further 
in view of Rowland (USP 6, 405,318). 

As per claim 1, Orchier teaches an event parser in communication with at 
least one network service device, the event parser being able to receive log data 
in real time from the device, the log data including information detailing a network 
intrusion event received from the network service device if an intrusion has 
occurred, the event parser being able to parse the information to create a 
corresponding event object concerning the intrusion event (column 4, lines 5-10); 

an event manager in communication with the event parser, the event 
manager being able to receive the event object, the event manager being 
configured to evaluate the event object according to at least one predetermined 
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threshold condition such that, when the event object satisfies the predetermined 
threshold condition, the event manager designates the event object to be 
broadcast in real time (column 4, lines 10-21); 

Orchier teaches an event broadcaster in communication with the event manager for 
receiving event objects designated by the event manager for broadcast, the event broadcaster 
being able to transmit the event object as an intrusion alarm; and means for alerting the user that 
a network intrusion event has occurred (column 4, lines 27-30). 

Orchier fails to teach transmitting the event object in real time, relative to the receipt of 
the log data, as an intrusion alarm. 

However Rowland teaches a computer implemented intrusion detection system and 
method that monitors computer system in real-time for activity indicative of attempted or actual 
access by unauthorized users(see abstract). 

Rowland further teaches transmitting the event object in real time, relative to the receipt 
of the log data, as an intrusion alarm ( col. 7, line 55 through col. 8, line 7). 

It would have been obvious to one of ordinary skill in the art to modify the Orchier' s 
event broadcaster to that of Rowland's real time detection system to be able to detect intrusions 
as they are occurring or soon after ( Rowland, col. 2, lines 20-22). 

As per claim 25, Orchier teaches a method for detecting and monitoring network 
intrusion events from log data received from network service devices in computer network, 
wherin the network service device comprises a device from a group comprising a firewall, VPN 
(virtual private network) server or router , and e-mail server comprising the step of : 
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receiving log data in real time, the log data including information detailing at least one 
network intrusion event received from the at least one network service device (column 4, lines 5- 
10); 

parsing the log data information to create a corresponding event object 
(column 4, lines 10-21); 

evaluating the event object according to at least one predetermined 
threshold condition (column 4, lines 27-30); 

where the information contained within the event object satisfies the 
predetermined threshold condition, broadcasting the event object as an intrusion 
alarm to a display screen on a graphic user interface (column 13, lines 10-12). 

Orchier teaches an event broadcaster in communication with the event manager for 
receiving event objects designated by the event manager for broadcast, the event broadcaster 
being able to transmit the event object as an intrusion alarm; and means for alerting the user that 
a network intrusion event has occurred (column 4, lines 27-30). 

Orchier fails to teach broadcasting the event object in real time, relative to the receipt of 
the log data, as an intrusion alarm. 

However Rowland teaches a computer implemented intrusion detection system and 
method that monitors computer system in real-time for activity indicative of attempted or actual 
access by unauthorized users(see abstract). 

Rowland further teaches transmitting the event object in real time, relative to the receipt 
of the log data, as an intrusion alarm ( col. 7, line 55 through col. 8, line 7). 
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It would have been obvious to one of ordinary skill in the art to modify the Orchier' s event 
broadcaster to that of Rowland's real time detection system to be able to detect intrusions as they 
are occurring or soon after ( Rowland, col. 2, lines 20-22). 

As per claim 2, Orchier teaches alerting the user that a network intrusion 
event has occurred is a graphical user interface in communication with the event 
broadcaster, the graphical user interface comprising a display screen for 
displaying an intrusion alarm and the information contained within the 
corresponding event object received from the event broadcaster (column 13, 
lines 10-12). 

As per claims 3 and 26, Orchier teaches: 

means for storing event objects, said means coupled to the event parsers (column 5, lines 

30-40); 

a report servlet coupled to the graphic user interface, the report servlet for recalling 
stored event objects in response to user queries from the graphic user interface and displaying 
recalled event objects on the graphic user interface display screen (column 13, lines 42-44); 

an application reporter coupled to the report servlet for receiving and processing user 
queries and for performing searches of stored event objects (column 13, lines 42-44); and 

a database accessible by the application reporter, for holding stored event objects, the 
database configured to recall event objects in response to searches executed by the application 
reporter (column 5, lines 30-40). 

As per claim 4 and 27, Orchier teaches: 
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a network port to receive log data having a conforming message format from at least one 
network service device (column 4, lines 19-21); 

means for transmitting the log data having a conforming message format to the event 
parsers, said means coupled to the network port (column 4, lines 510);and 

a reporting agent coupled to the network port for collecting log data having a 
nonconforming message format from the at least one network service device and converting the 
log data to a conforming message format (column 4, lines 710). 

As per claims 5 and 28, Orchier teaches the conforming message format is syslog 
(column 13, line 50). 

As per claim 6, Orchier teaches the graphical user interface display screen comprises an 
alarm console, coupled to the event broadcaster, configured to display intrusion alarms, and a 
report console, coupled to the report servlet, configured to execute queries input by a user and 
display results, wherein the alarm console and event broadcaster are displayed simultaneously on 
the display screen (column 14, lines 5-10 and Fig 8b). 

As per claims 7 and 30, Orchier teaches the report console is further configured to 
display query result data in summary lines, said summary lines comprising hypertext links 
providing access to further data (column 13, lines 4550 and Fig 8b, 'Note'). 

As per claims 8 and 29, Orchier teaches the alarm console displays intrusion alarms in 
summary lines, said summary lines comprising hypertext links providing access to further data 
(column 13, lines 45-50 and Fig 8b, 'Note*). 

As per claim 9, Orchier teaches the graphical user interface displays the status of 
network security devices in real time (column 2, lines 30-35). 
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As per claim 10, Orchier teaches the graphical user interface displays the status of 
network security devices in summary lines, said summary lines comprising hypertext links 
providing access to further data (column 13, lines 4548 and Fig 8b, "Note'). 

As per claims 12, 33, and 34, Orchier teaches comprising a chat manager accessible to a 
user from the alarm console for executing electronic communications links between the user and 
others having an electronic communications link to the computer system (column 13, lines 10-15 
and column 14, lines 5-10). 

As per claim 13, Orchier teaches the electronic communications link is an on line link 
established through a web browser interface (column 13, lines 35-52). 

As per claim 14, Orchier teaches a plurality of event parsers wherein each event parser is 
configured to receive log data from a predetermined network service device, the plurality of 
parsers each coupled to the event manager (column 4, lines 1-5). 

As per claim 15, Orchier that teaches the information contained within the event object 
is read by the event manager and assigned a severity level corresponding to the event type 
information contained within the event object, 

and the predetermined threshold condition is the assigned severity level (column 13, lines 24-28 
and column 13, lines 65-66). 

As per claim 17, Orchier teaches an event aggregator module and wherein the event 
parser is housed within the event aggregator module, and log data from a multiplicity of network 
device sources is received by the event parser (Figure 2, element 54). 

As per claim 18, Orchier teaches the event parser reads log data posted in extensible 
markup language (column 13, lines 45-55). 
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As per claim 19, Orchier teaches the computer system is one of a multiplicity of 
computer systems each having a graphic user interface and the computer system further 
comprises a central graphic user interface which, accesses at least one of the graphic user 
interfaces of the multiplicity of computer systems (column 5, lines 19-25). 

As per claim 20, Orchier teaches the central graphic user interface accesses at least one 
of the report servlets of the multiplicity of computer systems and communicates with at least one 
of the databases of the multiplicity of computer systems (column 5, lines 19-25 and column 7, 
lines 28-50). 

As per claim 21, Orchier teaches filtering event objects received by the event manager 
according to one or more predetermined conditions so as to restrict the field of event objects 
designated for broadcast (column 4, lines 19-30 and column 13, lines 32-35). 

As per claims 22 and 31, Orchier teaches filtering log data received at the network port 
according to one or more predetermined conditions so as to restrict receipt of corresponding log 
data by said transmitting means (column 13, lines 55-67 ). 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(x) which forms the basis for all 
obviousness rejections set forth in this Office action: 

A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. 
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Patentability shall not be negatived by the manner in which the invention was made. 

Claim 1 1 is rejected under 35 U.S.C. 103(x) as being unpatentable over Orchier and 
Rowland in view of Battat et al, herein Battat, (USP 5,958,012). 

As per claim 11, Orchier does not teaches the graphical user interface 
displays the status of network security devices in a color-coded format where 
said color designates a particular status level for the particular device. Battat 
teaches displaying displays the status of network security devices in a color 
coded format where said color designates a particular status level for the 
particular device (column 5, lines 5-7). Battat uses a color-coded status level so 
that events that need immediate attention are quickly spotted first. It would be 
advantageous to act upon the most severe threat first. 

In view of this, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to employ the teaching of Battat within the system of Orchier because it 
would allow the events to be color-coded which would help the administrator to differentiate 
between severe threats and minor threats. One skilled in the art would have been motivated to 
generate the claimed invention with a reasonable expectation of success. 

Claim 16 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Orchier and Rowland in view of Hill et al, herein Hill, (USP 6,088,804). 

As per claim 16, Orchier fails to teach that the severity level is one of seven categories 
for types of events contained within event objects. Hill teaches categorizes types of events into 
more than one category (column 14, lines 26-29). 

Categorizing types of events is advantageous because it would allow the 
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user to quickly identify the severity level of the problem. 

In view of this, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to employ the teaching of Hill within the system of Orchier because it 
would allow the events to be categorized, which would help the administrator to differentiate 
between severe threats and those threats of less importance. One skilled in the art would have 
been motivated to generate the claimed invention with a reasonable expectation of success. 

Claims 23, 24, and 32 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Orchier and Rowland. 

As per claims 23, 24, and 32, Orchier teaches the predetermined conditions are 
application name, host name, and internal device alarm identification (column 13, lines 55-66). 

Orchier teaches retrieving data by various network domain parameters. Orchier is silent 
in expressly disclosing using the source address, destination address, destination port, and 
protocol. Orchier's computer system without a doubt does log these types of parameters, as any 
network monitoring system would need to log, in order to adequately monitor and protect the 
entire network. Since these types of parameters are being logged, it would have been obvious to 
one of ordinary skill in the art to also use these parameters as conditions in which to retrieve 
crucial network data. 

In view of this it would have been obvious to one of ordinary skill in the art to modify 
the teachings of Orchier by also using the source address, destination address, destination port, 
and protocol to retrieve log data about an event. 
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Action is Final 

THIS ACTION IS FINAL. Applicant is reminded of the extension of time policy as set forth in 
37CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 
1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, 
will the statutory period for reply expire later than SIX MONTHS from the mailing date of this 
final action. 

Conclusion 

Prior arts made of record, not relied upon: 

US Patent 6, 347, 374 is directed to a system for event detection employing a collector 
that collects raw audit data made up of raw audit data records at an audit source; a database; an 
inserter at a downstream processing location that inserts Virtual Records into the database, 
including both a first type of Virtual Record generated in response to a raw audit data record, and 
a second type of Virtual Record generated in response to a detected audit event; the inserter; a 
parser; coupled to the collector, that converts raw audit data records in the raw audit data into 
Virtual Records; a detector that detects audit events in response to the Virtual Records generated 
by the parser, and generates the second type of Virtual Record in the event an audit event is 
detected. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Taghi T. Arani whose telephone number is (571) 272-3787. The 
examiner can normally be reached on 8:00-5:30 Mon-Fri. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Taghi T. Arani, Ph.D. 



Examiner 
Art Unit 2131 




